Nov 5th analysis: What it would take to hack the White House

Close to midnight on 4th November 1605 Guy Fawkes was discovered in a basement deep beneath the House of Lords, guarding 36 barrels of gunpowder. The plan was to blow the place sky high when Parliament convened the following day. The aim was to kill the king.

The plotters were only discovered at the last minute – Guy Fawkes was not the ringleader. Yet he became an example – and even now, long after his own hideous death – the people of Britain continue to ritually burn effigies of him on bonfire night, November 5th.

Stories like this always seem a bit odd, dated and macabre when relayed back as history. Yet all the gripes, grudges and reasons why attacks like this happen remain consistent today. And in a way, in terms of style, the closest modern parallel is cyber warfare. So, with this in mind we consulted a series of experts to discover, what would it take to breach the White House?

“Nobody – and I mean nobody – is too big or too powerful to become a victim,” clarifies Piers Wilson, head of product management at Huntsman Security. “The White House is no different. All it needs is for an unwitting staffer to open the wrong email attachment, plug in the wrong USB stick or decide to take some work home and hackers could instantly have access to its data or systems.”

The big difference with the White House though is its secrecy. “Few outside the government really know the full extent of the ‘information systems’ inside,” says Corey Nachreiner, CTO at WatchGuard. However, even without knowing this “it’s safe to say the White House has classified systems and unclassified systems”.

“If the bad guys are looking to get close to classified White House information without actually being inside the White House, they must accomplish the very difficult feat of ‘jumping the air gap’,” explains former FBI Cyber Special Agent, Andre McGregor, now a Director at Tanium.

“[This] is the completely separated barrier separating internet-facing unclassified computers from non-internet classified networks. This feat requires intimate knowledge of personnel and systems along with high technical abilities across multiple platforms and data structures.”

But how would this work in practice?

Nachreiner believes that a hack of the White House would most likely involve three things. He lists the first of these as targeted spear phishing attacks, as “humans are the weakest link in the attack chain”. He explains this would require significant reconnaissance of the target and a good understanding of their links to other members of the organisation. “Often, the attacker may not be able to initially trick the real victim, so they need to target others who may have connection to the target.”

The second, Nachreiner specifies, is a chain-of-trust attack which involves infiltrating a third party organisation that has some sort of business or operational tie to the victim. “For instance, an attacker might first send spear-phishing emails to a member of some other government agency to infect that contact’s computer,” he says. “Then they’ll use that government user's official access to communicate with a victim at the White House.”

The third he describes as: “lateral movement”. As he puts it: “Even if a White House staffer device is infected, the White House probably has very strong segmentation between devices going in and out of the building, internal devices on the unclassified network, and internal devices that are on classified networks. The attacker would then need to leverage the staffer’s devices to start enumerating internal networks, in order to find way they may be able to pivot their attack to their real target or devices.”

Cyber expert Cameron Brown adds: “The cyberattack surface for White House personnel extends beyond the hallowed grounds in Washington DC due to extensive travel itineraries associated with diplomatic affairs in foreign countries. Adversaries are known to target networks within hotels and venues frequented by key political figures.”

Wilson believes that logistics aside, the real question we should be asking is what will happen when an attack occurs, and what will the perpetrators be after?

“The greatest threat is that any attack won’t be noticed until it’s too late,” he says. “Only luck prevented the gunpowder plot, and modern organisations need to rely on more than that. The time to detect an attack can stretch to over 200 days, which is plenty of time for perpetrators to get away with anything.”

“For well-resourced groups seeking to target institutions like the White House, a little patience, persistence and insider collusion may yield something,” suggests Brown. The question, he feels, is whether there is anything of value to access?

To my mind, it seems very likely there is. This is simply because if you’re a government in charge of a large diverse population there are bound to be a lot of things you don’t want people to know. This is not necessarily nefarious. It is simply a reflection of the fact the many small things – in the grand scheme of things – can easily become very politically sensitive in the hands of everyone.

Memset’s Security Manager, Thomas Owen concludes with an interesting point: “Malicious actors should take heart. There’s no reason, with a bit of luck, the right level of skill and consistent care when hiding their identity and covering their tracks, for the individual or group hacking the White House to ever be held to account.”

“Should the attackers be consistently stealthy, innovative and perhaps sprinkle a few indicators of compromise implicating a juicy state-level aggressor there’s every chance that realpolitik will let them get off – publicly, at least – scot-free.”

Maybe, after all, the cybercriminals of today would get a far better deal than Guy Fawkes then? Or perhaps if the right person gets caught, they too will be ritually vilified for eternity. I guess we’ll only know if it happens.